Is obfuscated code good or bad

Viewing 9 reply threads
  • Author
    Posts
    • #3707
      timmedin
      Participant

      An interesting article discussing the attrition war of authors vs reverse engineers and Anti-Virus/Anti-Malware.

      Sun Tzu counseled a strategy of maneuver warfare, and that is the doctrine followed by modern militaries. We need to find something different than the attrition warfare that sustains the malware ecosystem in the state it is in today.

      Obfuscation, the deliberate hiding of the software’s behavior, is used by malware authors as well as legitimate software developers. They both use code obfuscation techniques to keep curious souls from understanding how their software works and what it is doing to the computer on which it runs.

      Good Obfuscation, Bad Code
      http://www.securityfocus.com/columnists/498/1

    • #23795
      NickFnord
      Participant

      Danny Quist also has something to say about it.  interesting how anti-virus software is reporting obfuscation as potential malware

      http://www.offensivecomputing.net/?q=node/1165

    • #23796
      Ketchup
      Participant

      This is only my opinion, but I believe that AntiVirus makers are so far behind the curve, they are just grasping at straws.  They are not capable of catching anything remotely unfamiliar with signatures, so they are expanding “detection” to include legitimate software to “be on the safe side.”

    • #23797
      jason
      Participant

      Yup, you can see the same thing with keygens. Most antimalware tools will flag them as malware.

    • #23798
      Ketchup
      Participant

      I know nothing of these “keygens” you speak of  😉

    • #23799
      jason
      Participant

      Educational use only of course 🙂

    • #23800
      NickFnord
      Participant

      I don’t understand why they would do this – a keygen is just a reproduction of the algorithm used to produce a registration key.

      unless they used the program itself to self-keygen and that somehow flagged it….

    • #23801
      Ketchup
      Participant

      They are usually packed with something.

    • #23802
      Jhaddix
      Participant

      @Ketchup wrote:

      They are usually packed with something.

      Indeed, they usually are. I saw this youtube video one of a researcher downloading keygens and monitoring them with wireshark, PortMon, ProcessExplorer, and Process Monitor.

      It dropped some stealthy and blatantly malicious stuff of its own. wish i had bookmarked it.

      His solution? (assuming these keygens were legal pices of code) Use a VM machine to run them.

      If they use patch-like function to insert a key (a la registry injection), stay away.

      If you have to replace files manually (aka an .exe), run for the hills.

    • #23803
      NickFnord
      Participant

      back in the day we had to patch the .exe to make it not run from the HD, not the CD.  but I guess that’s not so much a problem now days with virtual CD’s etc.  not that I engage in this kind of nefarious stuff at all.

Viewing 9 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?